b'     Department of Homeland Security\n\n     \xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\n\n\n   DHS Uses Social Media To Enhance Information \n\n   Sharing and Mission Operations, But Additional \n\n        Oversight and Guidance Are Needed\n\n\n\n\n\nOIG-13-115                             September 2013\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n                                Washington, DC 20528 / www.oig.dhs.gov\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n\xc2\xa0       \xc2\xa0 \xc2\xa0      \xc2\xa0          \xc2\xa0    September\n                                   \xc2\xa0    \xc2\xa0 5, 2013\n\xc2\xa0\xc2\xa0\nMEMORANDUM\xc2\xa0FOR:\t\xc2\xa0\xc2\xa0          Clark\xc2\xa0W.\xc2\xa0Stevens\xc2\xa0\xc2\xa0\n\n                            Assistant\xc2\xa0Secretary\xc2\xa0\xc2\xa0\n\n                            Office\xc2\xa0of\xc2\xa0Public\xc2\xa0Affairs\xc2\xa0\n\n\xc2\xa0\nFROM:\xc2\xa0\t                     Frank\xc2\xa0Deffer\xc2\xa0\n\n                            Assistant\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\n\n                            Office\xc2\xa0of\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Audits\xc2\xa0\n\n\xc2\xa0\nSUBJECT:\t\xc2\xa0                  DHS\xc2\xa0Uses\xc2\xa0Social\xc2\xa0Media\xc2\xa0To\xc2\xa0Enhance\xc2\xa0Information\xc2\xa0Sharing\xc2\xa0and\xc2\xa0\n                            Mission\xc2\xa0Operations,\xc2\xa0But\xc2\xa0Additional\xc2\xa0Oversight\xc2\xa0and\xc2\xa0Guidance\xc2\xa0\n                            Are\xc2\xa0Needed\xc2\xa0\xc2\xa0\xc2\xa0\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\nAttached\xc2\xa0for\xc2\xa0your\xc2\xa0information\xc2\xa0is\xc2\xa0our\xc2\xa0final\xc2\xa0report,\xc2\xa0DHS\xc2\xa0Uses\xc2\xa0Social\xc2\xa0Media\xc2\xa0To\xc2\xa0Enhance\xc2\xa0\nInformation\xc2\xa0Sharing\xc2\xa0and\xc2\xa0Mission\xc2\xa0Operations,\xc2\xa0But\xc2\xa0Additional\xc2\xa0Oversight\xc2\xa0and\xc2\xa0Guidance\xc2\xa0Are\xc2\xa0\nNeeded.\xc2\xa0\xc2\xa0We\xc2\xa0incorporated\xc2\xa0the\xc2\xa0formal\xc2\xa0comments\xc2\xa0from\xc2\xa0the\xc2\xa0Department\xc2\xa0in\xc2\xa0the\xc2\xa0final\xc2\xa0report.\xc2\xa0\xc2\xa0\n\xc2\xa0\nThe\xc2\xa0report\xc2\xa0contains\xc2\xa0five\xc2\xa0recommendations\xc2\xa0aimed\xc2\xa0at\xc2\xa0improving\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0use\xc2\xa0\nof\xc2\xa0Web\xc2\xa02.0\xc2\xa0technology.\xc2\xa0\xc2\xa0The\xc2\xa0Department\xc2\xa0concurred\xc2\xa0with\xc2\xa0recommendations\xc2\xa01\xc2\xa0and\xc2\xa03,\xc2\xa0but\xc2\xa0did\xc2\xa0\nnot\xc2\xa0concur\xc2\xa0with\xc2\xa0recommendations\xc2\xa02,\xc2\xa04,\xc2\xa0and\xc2\xa05.\xc2\xa0\xc2\xa0As\xc2\xa0prescribed\xc2\xa0by\xc2\xa0the\xc2\xa0Department\xc2\xa0of\xc2\xa0\nHomeland\xc2\xa0Security\xc2\xa0Directive\xc2\xa0077\xe2\x80\x9001,\xc2\xa0Follow\xe2\x80\x90Up\xc2\xa0and\xc2\xa0Resolutions\xc2\xa0for\xc2\xa0Office\xc2\xa0of\xc2\xa0Inspector\xc2\xa0\nGeneral\xc2\xa0Report\xc2\xa0Recommendations,\xc2\xa0within\xc2\xa090\xc2\xa0days\xc2\xa0of\xc2\xa0the\xc2\xa0date\xc2\xa0of\xc2\xa0this\xc2\xa0memorandum,\xc2\xa0please\xc2\xa0\nprovide\xc2\xa0our\xc2\xa0office\xc2\xa0with\xc2\xa0a\xc2\xa0written\xc2\xa0response\xc2\xa0that\xc2\xa0includes\xc2\xa0your\xc2\xa0(1)\xc2\xa0agreement\xc2\xa0or\xc2\xa0\ndisagreement,\xc2\xa0(2)\xc2\xa0corrective\xc2\xa0action\xc2\xa0plan,\xc2\xa0and\xc2\xa0(3)\xc2\xa0target\xc2\xa0completion\xc2\xa0date\xc2\xa0for\xc2\xa0each\xc2\xa0\nrecommendation.\xc2\xa0\xc2\xa0Also,\xc2\xa0please\xc2\xa0include\xc2\xa0responsible\xc2\xa0parties\xc2\xa0and\xc2\xa0any\xc2\xa0other\xc2\xa0supporting\xc2\xa0\ndocumentation\xc2\xa0necessary\xc2\xa0to\xc2\xa0inform\xc2\xa0us\xc2\xa0about\xc2\xa0the\xc2\xa0current\xc2\xa0status\xc2\xa0of\xc2\xa0the\xc2\xa0recommendation.\xc2\xa0\xc2\xa0\xc2\xa0\n\xc2\xa0\nOnce\xc2\xa0the\xc2\xa0Department\xc2\xa0has\xc2\xa0fully\xc2\xa0implemented\xc2\xa0the\xc2\xa0recommendations,\xc2\xa0please\xc2\xa0submit\xc2\xa0a\xc2\xa0formal\xc2\xa0\ncloseout\xc2\xa0request\xc2\xa0to\xc2\xa0us\xc2\xa0within\xc2\xa030\xc2\xa0days\xc2\xa0so\xc2\xa0that\xc2\xa0we\xc2\xa0may\xc2\xa0close\xc2\xa0the\xc2\xa0recommendations.\xc2\xa0\xc2\xa0The\xc2\xa0\nrequest\xc2\xa0should\xc2\xa0be\xc2\xa0accompanied\xc2\xa0by\xc2\xa0evidence\xc2\xa0of\xc2\xa0completion\xc2\xa0of\xc2\xa0agreed\xe2\x80\x90upon\xc2\xa0corrective\xc2\xa0\nactions.\xc2\xa0\xc2\xa0\xc2\xa0\n\xc2\xa0\nPlease\xc2\xa0email\xc2\xa0a\xc2\xa0signed\xc2\xa0PDF\xc2\xa0copy\xc2\xa0of\xc2\xa0all\xc2\xa0responses\xc2\xa0and\xc2\xa0closeout\xc2\xa0requests\xc2\xa0to\xc2\xa0\nOIGITAuditsFollowup@oig.dhs.gov.\xc2\xa0\xc2\xa0Until\xc2\xa0your\xc2\xa0response\xc2\xa0is\xc2\xa0received\xc2\xa0and\xc2\xa0evaluated,\xc2\xa0the\xc2\xa0\nrecommendations\xc2\xa0will\xc2\xa0be\xc2\xa0considered\xc2\xa0open\xc2\xa0and\xc2\xa0unresolved.\xc2\xa0\xc2\xa0We\xc2\xa0will\xc2\xa0post\xc2\xa0the\xc2\xa0report\xc2\xa0on\xc2\xa0our\xc2\xa0\nwebsite\xc2\xa0for\xc2\xa0public\xc2\xa0dissemination.\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n\xc2\xa0\nPlease\xc2\xa0call\xc2\xa0me\xc2\xa0with\xc2\xa0any\xc2\xa0questions,\xc2\xa0or\xc2\xa0your\xc2\xa0staff\xc2\xa0may\xc2\xa0contact\xc2\xa0Richard\xc2\xa0Harsche,\xc2\xa0Director,\xc2\xa0\nInformation\xc2\xa0Management\xc2\xa0Division,\xc2\xa0at\xc2\xa0(202)\xc2\xa0254\xe2\x80\x905448.\xc2\xa0\n\xc2\xa0\nAttachment\n\xc2\xa0                                            \xc2\xa0                                           \xc2\xa0\n\x0c                                      OFFICE OF INSPECTOR GENERAL\n                                            Department of Homeland Security\n\n\nTable of Contents\nExecutive Summary............................................................................................................. 1\n\n\nBackground ........................................................................................................................ 2\n\n\nResults of Audit ................................................................................................................... 8\n\n\n           DHS Uses Social Media Effectively for Public Outreach ......................................... 8\n\n\n           DHS Recognizes Value in Using Social Media To Enhance Mission Operations But\n\n           Additional Oversight and Guidance Are Needed ................................................. 12\n\n\n           Improvements Are Needed For Centralized Oversight and Coordination ........... 16\n\n\n           Recommendations ................................................................................................ 19\n\n\n           Management Comments and OIG Analysis .......................................................... 19\n\n\n\nAppendixes\n           Appendix A:          Objectives, Scope, and Methodology ............................................ 25\n\n           Appendix B:          Management Comments to the Draft Report ............................... 27\n\n           Appendix C:          Major Contributors to This Report ................................................ 34\n\n           Appendix D:          Report Distribution ........................................................................ 35\n\n\nAbbreviations\n           CBP                   U.S. Customs and Border Protection\n           DHS                   Department of Homeland Security\n           CISO                  Chief Information Security Officer\n           FEMA                  Federal Emergency Management Agency\n           ICE                   Immigration and Customs Enforcement\n           GAO                   Government Accountability Office\n           NIST                  National Institute of Standards and Technology\n           NOC                   National Operations Center\n           OCIO                  Office of the Chief Information Officer\n           OIG                   Office of Inspector General\n           OMB                   Office of Management and Budget\n           OPA                   Office of Public Affairs\n\n\nwww.oig.dhs.gov                                                                                                        OIG-13-115\n\x0c                     OFFICE OF INSPECTOR GENERAL\n                        Department of Homeland Security\n\n\n       PIA        Privacy Impact Assessment\n       PII        Personally Identifiable Information\n       PTA        Privacy Threshold Analysis\n       TSA        Transportation Security Administration\n       USCG       U.S. Coast Guard\n       USCIS      U.S. Citizenship and Immigration Services\n       USSS       U.S. Secret Service\n\n\n\n\nwww.oig.dhs.gov                                               OIG-13-115\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n\n\nExecutive Summary\nWe audited the Department of Homeland Security\xe2\x80\x99s (DHS) efforts to implement Web 2.0\ntechnology, also known as social media. The objective of our audit was to determine the\neffectiveness of DHS\xe2\x80\x99 and its components\xe2\x80\x99 use of Web 2.0 technologies to facilitate\ninformation sharing and enhance mission operations. The scope and methodology of this\naudit are discussed further in appendix A.\n\nAlthough DHS prohibits social media access to employees using a government-issued\nelectronic device or computer unless a waiver or exception is granted, the Department has\nsteadily increased its use of various social media sites over the past 5 years. Specifically, the\nDepartment and each of its seven operational components have established accounts on\ncommonly used social media sites, such as Twitter, Facebook, blog sites, and YouTube, for\noutreach purposes. Public affairs employees have had wide success using these sites to\nshare information and conduct public outreach efforts. These initiatives were effectively\nmanaged and administered by Department and component level public affairs offices. In\naddition, component public affairs offices have implemented policies and procedures to\nprovide guidance to employees.\n\nDHS and its operational components have recognized the value of using social media to gain\nsituational awareness and support mission operations, including law enforcement and\nintelligence-gathering efforts. However, additional oversight and guidance are needed to\nensure that employees use technologies appropriately. In addition, improvements are\nneeded for centralized oversight to ensure that leadership is aware of how social media are\nbeing used and for better coordination to share best practices. Until improvements are\nmade, the Department is hindered in its ability to assess all the benefits and risks of using\nsocial media to support mission operations.\n\nWe are recommending that the Department communicate the process to gain access to\nsocial media; establish a list of approved social media accounts used throughout the\nDepartment; complete the Department-wide social media policy to provide legal, privacy,\nand information security guidelines for the approved uses of social media; ensure that\ncomponents develop and implement social media policies; and establish a forum for the\nDepartment and its components to collaborate and make decisions on the use of social\nmedia tools.\n\n\n\n\nwww.oig.dhs.gov                               1                                    OIG-13-115\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\nBackground\nThe Homeland Security Act of 2002 established the Department and its primary\nmissions, which include preventing terrorist attacks within the United States; enforcing\nand administering the immigration laws of the United States- securing the nation\xe2\x80\x99s\nborders- and ensuring the nation\xe2\x80\x99s resilience to disasters. To support its mission\noperations, DHS relies on a vast array of information technology, including Internet-\nbased services using Web 2.0 technologies.\n\nWeb 2.0 technologies, the second generation of the World Wide Web, provide a\nplatform for Web-based communities of interest, collaboration, and interactive services.\nThese technologies include Web logs, known as blogs, which allow individuals to post\nand respond to information. Additionally, Web 2.0 technologies include third-party\nsocial media websites that allow individuals or groups to create, organize, edit,\ncomment on, and share information. DHS has defined social media as websites,\napplications, and Web-based tools that connect users to engage in dialogue, share\ninformation, collaborate, and interact.1 Social media take many different forms,\nincluding Web-based communities, social networking sites, and video and photo sharing\nsites. Some commonly known social media providers include Facebook, Twitter, and\nYouTube.\n\n        Facebook is a social media website that allows users to create personal profiles\n        and to locate and connect with other Facebook users. Users can also establish a\n        page to represent a business, public figure, or organization. These pages are\n        used to disseminate information and provide users a structure to post their\n        responses. In September 2012, Facebook reportedly had more than 1 billion\n        active users.\n\n        Twitter is a social networking site that allows users to share and receive\n        information through short messages limited to 140 characters in length, known\n        as \xe2\x80\x9ctweets.\xe2\x80\x9d Twitter users can establish accounts, post messages to their profile\n        page, and reply to other users\xe2\x80\x99 tweets. In December 2012, Twitter reported\n        having 200 million registered accounts.\n\n        YouTube is a video-sharing site that allows users to watch, add, comment on,\n        and share videos. Users can establish accounts on YouTube by providing a small\n        amount of personal information. More than 800 million unique users visit the\n        site, and more than 4 billion hours of video are watched each month.\n\n\n1\n Department of Homeland Security Instruction 110-01-001, Privacy Policy for Operational Use of Social\nMedia, June 8, 2012.\n\n\nwww.oig.dhs.gov                                    2                                         OIG-13-115\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\nThe popularity of Web 2.0 technologies continues to grow. In 2011, nearly four in five\nactive Internet users visited social media websites and blogs, and Americans spent more\ntime on Facebook than any other website.2 The Nielsen Company reported that, in July\n2011, Americans spent more than 88 billion minutes on social media sites, and that\nnumber increased to more than 121 billion minutes in July 2012.3 The use of social\nnetworking services now reportedly exceeds Web-based e-mail usage, and the number\nof American users frequenting online video sites has more than tripled since 2003.\nOverall, as of 2011, Americans spent 23 percent of their time online visiting blogs and\nsocial media websites.\n\nFederal Guidance for Open Government\n\nPresident Barack Obama endorsed the use of Web 2.0 technologies by Federal agencies\nin a 2009 memorandum promoting transparency and open government. 4 In this\nmemorandum, Federal agencies were encouraged to use new technologies to put\ninformation about their operations online so that it would be more accessible to the\npublic. Agencies were also encouraged to solicit public comments by providing\nopportunities for the public to contribute ideas and expertise through collaboration.\n\nThe President called on the Office of Management and Budget (OMB) to issue guidance\nfor increasing government transparency and collaboration. In response, OMB has\nissued a number of guidance documents, including:\n\n         Social Media, Web-Based Interactive Technologies, and the Paperwork Reduction\n         Act, issued April 7, 2010, which explains when and how the Paperwork Reduction\n         Act of 1995 applies to social media. 5\n         Guidance for Online Use of Web Measurement and Customization Technologies,\n         issued June 25, 2010, which explains how Federal agencies can use Web\n         measurement and customization technologies to better serve the public while\n         still safeguarding privacy. 6\n         Guidance for Agency Use of Third-party Websites and Applications, issued June\n         25, 2010, which states that the use of Web 2.0 technologies requires vigilance to\n\n2\n  A blog is a website that consists of a series of entries arranged in reverse chronological order, updated\n\nfrequently with new information about particular topics. It often contains the writer\xe2\x80\x99s own personal \n\nexperiences, opinions, and observations, or those of guest writers.\n\n3\n  The Nielsen Company provides information and measurement that enable companies to understand\n\nconsumers and consumers\xe2\x80\x99 behaviors.\n\n4\n  President Barack Obama, Memorandum on Transparency and Open Government, January 21, 2009.\n\n5\n  OMB Memorandum, Social Media, Web-Based Interactive Technologies, and the Paperwork Reduction\n\nAct, April 7, 2010.\n\n6\n  OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies, June 25,\n\n2010.\n\n\n\nwww.oig.dhs.gov                                      3                                          OIG-13-115\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n        protect individual privacy and provides guidance to agencies to protect privacy\n        when using social media websites.7\n\nFederal agencies are increasingly using Web 2.0 technologies, such as social media\nwebsites, to share information, collaborate with the public, and increase transparency.\nAs of May 2012, all 24 major Federal agencies had established a social media presence.\nFor example, the National Aeronautics and Space Administration had as many as 3.3\nmillion followers on Twitter. DHS activated a Twitter account in 2010 and, by November\n2012, had 118,977 Twitter followers and had issued 2,796 tweets.\n\nWhile the use of social media technologies can effectively engage the public and\nincrease citizen involvement in government efforts, these technologies can also pose\nchallenges in protecting personal information and ensuring the security of information\nsystems.\n\nDetermining how the Privacy Act of 1974, as amended, applies to departmental use of\nsocial media requires careful evaluation.8 This Act protects personally identifiable\ninformation (PII) by ensuring that Federal agencies collect only necessary and relevant\ninformation to an agency\xe2\x80\x99s function, and that the information is maintained in a manner\nthat protects an individual\xe2\x80\x99s privacy. Examples of PII include name, date of birth, Social\nSecurity number, and any other unique information that could identify an individual.\nBecause of the interactive nature of social media technologies, OMB requires that, in\naddition to following existing OMB guidance and privacy laws such as the Privacy Act,\nFederal agencies must have transparent privacy policies, provide notice for external\nwebsite links, and conduct analysis of the privacy implications whenever they use third-\nparty technologies to engage with the public.9 For example, OMB states that an agency\nshould post a privacy notice on a third-party website it uses to indicate whether and\nhow the agency will maintain, use, or share PII. Agencies should also only collect the\nminimum necessary PII to perform their purpose or functions.\n\nThe rapid development of social media technologies presents challenges to keep up\nwith evolving threats, such as unauthorized individuals gaining access to the enterprise\nnetwork and identity theft. For example, the DHS Office of the Chief Information Officer\n(OCIO) reported that the use of these Internet-based technologies increases the risk of a\nmalware infiltration, which may harm government systems or networks.10 The\nDepartment conducted a risk assessment in 2012 and identified additional risks\nassociated with employee use of social media technology, which cannot be monitored\n\n\n\n7\n  OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications, June 25, 2010. \n\n8\n   5 U.S.C. \xc2\xa7 552a.\n\n9\n  OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications, June 25, 2010.\n\n10\n   Malware is malicious software meant to interfere with or damage a computer or computer system.\n\n\n\nwww.oig.dhs.gov                                   4                                        OIG-13-115\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\nby traditional methods.11 The assessment also identified potential risks of security\nbreaches, such as data spillage, reputation erosion, and loss of time and resources.\n\nOrganizational Structure for Department-Wide Management of Social Media\n\nTo address these risks, DHS has established an organizational structure to manage its\nDepartment-wide use of social media.12 Four DHS offices share this responsibility. For\nthe use of social media for outreach purposes, the DHS Office of Public Affairs (OPA)\nserves as the primary account holder for all DHS and component social media websites\nand ensures that posted content meets the appropriate requirements for publicly\navailable information. The DHS Privacy Office is responsible for ensuring that DHS use\nof social media is compliant with privacy laws, while component level privacy offices are\nresponsible for ensuring the implementation of DHS\xe2\x80\x99 privacy policies. The DHS OCIO is\nresponsible for providing overall policy implementation and procedural guidance for the\nWeb and associated systems, and ensuring adherence to policies, laws, regulations, and\nguidance, including those that are related to accessibility, privacy, and security. The\nOffice of General Counsel provides legal advice and guidance on the Department\xe2\x80\x99s use\nof social media to all DHS components, including the DHS Privacy Office and component\nprivacy offices. Figure 1 shows these four offices within the DHS organization.\n\n\n\n\n                          Figure 1. DHS Organization Chart as of 2012\n                (*The Management Directorate has six offices, including the Department\xe2\x80\x99s\n                              Office of the Chief Information Officer)\n\n\n\n11\n   DHS Office of the Chief Information Security Officer, Social Media Risk Assessment Report, May 15,\n\n2012.\n\n12\n   DHS Office of Inspector General (OIG) follows its own social media procedures and relies on its own\n\nattorneys, privacy officer, information security personnel, etc.\n\n\n\nwww.oig.dhs.gov                                     5                                          OIG-13-115\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\nThe Department Grants Access to Social Media Websites on a Limited Basis\n\nThe Department is responsible for ensuring that employees who use social media are in\ncompliance with Federal and departmental requirements for security of information\nsystems. For example, the Federal Information Security Management Act of 2002, as\namended, assigns agencies the responsibility for the security of information collected or\nmaintained on their behalf and for information systems used or operated on their\nbehalf.13 Additionally, in 2009, the National Institute of Standards and Technology\n(NIST) issued guidance directing agencies to identify security controls for information\nsystems for internal and third-party systems.14 According to the guidance, the use of a\nrisk-based approach is important when an agency is using technology for which its\nability to establish security controls may be limited, such as when using a third-party\nsocial media service.\n\nTo limit its risk, DHS blocks social media sites from Department employees and\ncontractors unless access approval is granted for official work purposes. DHS\nestablished a process in 2012 to grant access to employees whose job functions require\nthe use of specific social media websites.15 These employees must complete and submit\na \xe2\x80\x9cSecure Internet Gateway\xe2\x80\x9d request to their component Security Operations Center.\nThis request must include a business justification explaining the need to access specific\nblocked sites for work purposes. Component OCIO officials review the requests for\ntechnical accuracy and to validate that the business justification is in line with the\ncomponent\xe2\x80\x99s mission. Once the review is completed, the DHS Security Operations\nCenter performs a risk assessment of the request to determine the level of risk to the\nDHS network and decides whether access should be granted.\n\nComponents may also request access to social media websites through a waiver or\nexception process. A waiver (valid for a specific timeframe) or exception (valid for an\nindefinite amount of time) is a request to bypass standard DHS security guidelines and\npolicies, such as obtaining access to websites that are normally blocked. This process\nrequires the approval of the component Chief Information Security Officer (CISO) and\nthe DHS CISO. The Department had processed four exceptions and waivers as of 2012.\nSpecifically, the Federal Emergency Management Agency (FEMA) was given waivers in\n2010 and 2011 and applied for an additional waiver in 2012 to use social media to meet\nits mission requirements. U.S. Customs and Border Protection (CBP) was granted an\nexception for access to a specific website in 2009.\n\n13\n   FISMA, Title III, E-Government Act of 2002, Pub. L. 107-347, December 17, 2002, 44 U.S.C. \xc2\xa7 3541, et\nseq.\n14\n   NIST, Recommended Security Controls for Federal Information Systems and Organizations, Special\nPublication 800-53, Revision 3, August 2009.\n15\n   Secure Internet Gateway Process V1.0, OIT DDC, December 4, 2012.\n\n\nwww.oig.dhs.gov                                     6                                          OIG-13-115\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nSince 2007, the Department has been granting social media access on a case-by-case\nbasis to support various public affairs or operational missions. Specifically, DHS uses\nsocial media to provide additional sources of communications to reach a wider\naudience, support operational activities such as investigations, and maintain situational\nawareness. The following describes these three categories of social media use.\n\n\xe2\x80\xa2      Communications comprises external communications, which include messaging,\n       outreach, and public dialogue; and internal communications, which include the\n       dissemination of key policy, procedural, and operational information to\n       employees.\n\n\xe2\x80\xa2      Operational use includes the use of social media to collect information for the\n       purpose of investigating an individual in a criminal, civil, or administrative\n       context; making a benefit determination about a person; making a personnel\n       determination about a Department employee; making a suitability\n       determination about a prospective employee; or other official departmental\n       purposes that has the potential to affect the rights, privileges, or benefits of an\n       individual.\n\n\xe2\x80\xa2      Situational awareness includes information gathered from a variety of sources\n       that, when communicated to emergency managers and decision makers, can\n       form the basis for incident management decision making.\n\n\n\n\nwww.oig.dhs.gov                              7                                    OIG-13-115\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nResults of Audit\nDHS Uses Social Media Effectively for Public Outreach\n\n       Social media sites are a critical tool for DHS and its components to engage the\n       public in DHS mission efforts, evidenced by a wide DHS presence on commonly\n       used social media websites. The Department and components\xe2\x80\x99 public affairs\n       offices have determined that the use of social media sites is more effective than\n       static websites alone for external communications and public outreach. These\n       efforts were effectively managed by Department and component level public\n       affairs officials who had ample guidelines and procedures in place to ensure that\n       employees follow protocol.\n\n       DHS Shares Information with the Public\n\n       Social media sites have become an important method for DHS and its\n       components to conduct outreach and share information with stakeholders. DHS\n       began its first blog in 2007 to make information and services widely available,\n       while promoting transparency and accountability. DHS components, such as U.S.\n       Coast Guard (USCG) and FEMA, also began using social media websites as early\n       as 2007 to communicate their mission accomplishments and provide informative\n       tips to the public. Component public affairs officials told us that the use of social\n       media has been steadily increasing since that time. As of November 2012, at\n       least 395 employees had access to social media websites at DHS headquarters\n       alone; and all seven operational components had established accounts on at\n       least one of the most commonly used social media sites \xe2\x80\x94 Twitter, Facebook,\n       blog sites, or YouTube \xe2\x80\x94 as shown in figure 2.\n\n\n\n\nwww.oig.dhs.gov                              8                                    OIG-13-115\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n\n                    CBP      FEMA       ICE      TSA      USCG     USCIS     USSS\n\n\n\n\n                             Blog      Blog     Blog      Blog     Blog\n\n\n\n\n        Figure 2. Most Commonly Used Social Media Tools for Public Outreach16\n\n        DHS and component public affairs offices have used social media tools to\n        augment external communications and public outreach efforts. Representatives\n        from the Department and component public affairs offices said that social media\n        tools are more effective in generating awareness of DHS\xe2\x80\x99 missions and\n        achievements than static websites alone, helping DHS reach a wider audience.\n        Officials also told us that the use of these tools provides a more formal process\n        for measuring public interest through ongoing comments and interaction that\n        was not possible before. Specifically, counting Facebook likes, YouTube views,\n        comments posted and \xe2\x80\x9cretweets\xe2\x80\x9d can indicate how widely a particular posting is\n        received.17 For example, as of December 2012, USCG had more than 165,000\n        users following its Facebook page, and FEMA had more than 186,000 Twitter\n        followers. The U.S. Citizenship and Immigration Services (USCIS) Office of\n        Communications added a video of a mock citizenship interview and test to\n        YouTube in November 2010, and the video had more than 522,000 views as of\n        December 2012.\n\n        The Department has also reported on the importance of using social media to\n        augment DHS\xe2\x80\x99 emergency management communications. In testimony before\n        the Senate Committee on Homeland Security and Governmental Affairs in May\n        2011, the FEMA Administrator said that social media is extremely valuable\n        during disaster and emergency situations for its capabilities to collaborate with\n\n\n16\n   These icons represent the most common social media accounts used by CBP, FEMA, U.S. Immigration\n\nand Customs Enforcement (ICE), Transportation Security Administration (TSA), USCG, USCIS, and U.S. \n\nSecret Service (USSS). DHS OIG does not endorse any non-governmental websites, enterprises, or \n\nservices. \n\n17\n   The Facebook "like" button is a feature that allows users to show their support for specific comments,\n\npictures, wall posts, statuses, or fan pages.\n\n\n\nwww.oig.dhs.gov                                      9                                          OIG-13-115\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n        individuals, communities, and emergency response stakeholders.18 FEMA\n        officials also reported that social media tools, such as Facebook and Twitter, are\n        critical before disaster situations to provide preparedness information, as well as\n        during and after disaster events to provide emergency management tips and\n        specific instructions for victims. For example, following Hurricane Sandy in\n        October 2012, FEM!\xe2\x80\x99s Office of External !ffairs posted information on its\n        Facebook site about new disaster recovery centers in the New York City area for\n        residents to apply for assistance, charge cellular phones, and obtain food and\n        water. The post also included an interactive link for a disaster recovery center\n        locator. FEMA\xe2\x80\x99s Office of External !ffairs has used Twitter since 2008, along with\n        the FEMA blog since 2010, to communicate with the public and provide\n        assistance to disaster survivors.19\n\n        Likewise, the USCG OPA has used Twitter and The Coast Guard Compass, the\n        USCG blog, to provide the public with updates after disasters.20 Fourteen Twitter\n        accounts have been established across the US\x12G\xe2\x80\x99s district offices to provide\n        information specific to local events. For example, a blog post in November 2012\n        outlined actions that that USCG had taken in response to Hurricane Sandy, such\n        as efforts to restore fuel flow to the New York City area. The blog post also\n        noted that prior to Hurricane Sandy, USCG worked to prepare Eastern seaboard\n        ports to minimize disruption and emphasized US\x12G\xe2\x80\x99s commitment to restore the\n        marine transportation system in the ports of New York and New Jersey. This\n        blog post was shared 361 times.\n\n        Component public affairs employees frequently use Twitter, Facebook, and blogs\n        to post time-sensitive information or specific news and current events. For\n        example, the TSA Office of Strategic Communications and Public Affairs\n        maintains a TSA Blog, which provides seasonal tips to help travelers deal with\n        holiday-related issues, such as how to travel with food or how wrapped gifts may\n        be subject to inspections.21 Component officials also respond to questions\n        frequently posted to blogs or Facebook sites. For example, the USCIS Office of\n        Communications uses its blog, The Beacon, to address inaccurate information\n        posted on immigration forums or prevent common mistakes made by\n\n\n\n\n18\n   U.S. Senate, Subcommittee on Disaster Recovery and Intergovernmental Affairs, Understanding the\n\nPower of Social Media as a Communication Tool in the Aftermath of Disasters (Statement of Craig Fugate,\n\nAdministrator, FEMA), 112th Cong., 1st sess., May 5, 2011.\n\n19\n   http://www.fema.gov/blog\n\n20\n   The Coast Guard Compass, http://coastguard.dodlive.mil/\n\n21\n   The TSA Blog, http://blog.tsa.gov/\n\n\n\nwww.oig.dhs.gov                                   10                                         OIG-13-115\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n        applicants.22 A post on May 17, 2012, discussing the green card process,\n        provided details about the decision process and timeline for applications.\n\n        DHS Established Guidelines To Administer Social Media Use For Public\n        Outreach\n\n        Department and component level public affairs officials effectively managed\n        external communications and outreach efforts, respectively. DHS OPA, OCIO,\n        and the Privacy Office provide Department-wide guidance for using social media\n        for external communications. Specifically, the DHS OPA authorizes new social\n        media accounts for the Department, in coordination with component public\n        affairs offices, and negotiates terms of service for each social media site in\n        coordination with the DHS Office of General Counsel. OPA also serves as the\n        final authority over content acceptable for posting on social media sites when\n        necessary and ensures that posted content meets the appropriate requirements\n        for publicly available information and materials. The DHS CISO provides\n        guidelines for rules of conduct as well as standards for social media accounts.\n        For example, according to Attachment X of DHS 4300A Sensitive Systems\n        Handbook, official accounts must be branded with the Department or\n        component seal and use easily identifiable account user names that indicate that\n        the user is representing DHS. 23 This handbook also includes tips to prevent\n        employees from endorsing political parties or sharing classified information.\n        Finally, the DHS Privacy Office requires component offices and programs to\n        conduct a Privacy Threshold Analysis (PTA) for the use of third-party websites to\n        assess whether PII is collected, stored, and managed. If the PTA results in a\n        decision that a Privacy Impact Assessment (PIA) is required, the DHS Privacy\n        Office works with the program to determine the privacy risks and mitigation of\n        the use of the third-party website.\n\n        To comply with DHS privacy policies, OPA completed a PIA in 2010 to analyze the\n        privacy risks associated with the Department\xe2\x80\x99s social media interactions. This\n        PIA, Use of Social Networking Interactions and Applications\n        Communication/Outreach/Public Dialogue, covered each of the Department\xe2\x80\x99s\n        approved uses of social media for communications and public outreach. 24 A\n        second PIA, Use of Unidirectional Social Media Applications Communications and\n        Outreach, was completed in March 2011 for the use of unidirectional social\n        media tools and applications that allow users to view real-time content from a\n\n\n\n22\n   The Beacon, http://blog.uscis.gov/\n\n23\n   Department of Homeland Security, 4300A Sensitive Systems Handbook Attachment X Social Media, \n\nVersion 9.1, July 24, 2012.\n\n24\n   This PIA currently covers 32 approved social networking applications.\n\n\n\nwww.oig.dhs.gov                                  11                                       OIG-13-115\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n        predetermined source. 25 These two PIAs describe the Department\xe2\x80\x99s use of social\n        media from a privacy standpoint.\n\n        Additionally, each of the seven operational components had established\n        component level guidance and procedures for public affairs employees using\n        social media for external communications. Specifically, six of the seven\n        components had documented protocol for posting content, at least four\n        components had documented privacy or comment policies, and at least four\n        components had instituted specific guidance for employee use of social media\n        for communications. For example, according to FEM!\xe2\x80\x99s December 2010 Web 2.0\n        policy, the FEMA Office of External Affairs has oversight of all external\n        communications on FEM!\xe2\x80\x99s publicly accessible sites. The \x12\x11P OPA provided\n        guidance, such as standard operating procedures to field employees, stating that\n        officials in the field must first receive approval before posting content. CBP also\n        issued a policy in 2012 explaining that social media posting is at the discretion of\n        the CBP OPA.\n\n\nDHS Recognizes Value in Using Social Media To Enhance Mission Operations, But\nAdditional Oversight and Guidance Are Needed\n\n        The Department and its operational components have used social media tools to\n        gain situational awareness and support mission operations, including law\n        enforcement and intelligence-gathering efforts. Although social media sites\n        have been beneficial for these activities, components did not have adequate\n        guidelines or policies to prevent unauthorized or inappropriate uses of the\n        technologies by employees. Recent efforts to establish privacy guidelines for\n        operational uses of social media are progressing. However, additional\n        component level policies and procedures are needed.\n\n        Social Media Tools Prove Useful for Increasing Situational Awareness\n\n        The Department recognizes that social media sites are a valuable resource for\n        maintaining timely, accurate, and actionable situational awareness of potential\n        and actual incidents that may require a response. DHS officials told us that the\n        Department benefits from the speed and early warning that come with\n        monitoring social media in conjunction with traditional media. For example, the\n        DHS National Operations Center (NOC) is the primary watch center for\n        situational awareness and is responsible for providing a common operating\n\n25\n Unidirectional social media tools include mobile apps, podcasts, audio and video streams, short\nmessage service (SMS) texting, and really simple syndication (RSS) feeds, among others.\n\n\nwww.oig.dhs.gov                                   12                                         OIG-13-115\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n        picture and maintaining communications and coordination to prevent terrorist\n        attacks and manage incidents. To do this, NOC personnel monitor media to\n        discover and track incidents that may affect homeland security by using search\n        terms to find items of potential interest across various websites and, starting in\n        2010, social media sites.26 For example, in 2012, NOC staff monitored Twitter for\n        updates on a police search for a man with a gun on the University of Maryland\n        Baltimore County campus. NOC staff also monitored the Twitter accounts of\n        multiple news organizations in 2012 to obtain information on a suspicious letter\n        sent to the Speaker of the U.S. House of Representatives. With this type of real-\n        time information, staff can provide notification and guidance on safety measures\n        and other actions that should be taken.\n\n        Social media has also enabled FEMA Watch Centers to develop more timely\n        situational awareness to communicate information to emergency managers and\n        government officials and improve incident management decision making.\n        FEM!\xe2\x80\x99s National Watch \x12enter uses social media websites as an additional\n        resource to maintain situational awareness of incidents that may require a\n        coordinated Federal response. Watch Center personnel told us that they\n        conduct searches to identify potential incidents that may predicate a\n        coordinated Federal response. For example, the National Watch Center\n        monitors social media during a storm to follow its progression and see how\n        closely it matches the forecast and news reports. FEMA Watch Center staff also\n        use this information to confirm the locations where weather events, such as\n        tornado touchdowns, actually occurred.\n\n        Social Media Technologies Support Additional Mission Operations\n\n        Some component program offices have increased the use of social media in law\n        enforcement and intelligence-gathering activities to support DHS\xe2\x80\x99 mission. Using\n        social media technologies, DHS personnel can interact with the public and gain\n        access to additional information. Specifically, DHS law enforcement officials can\n        use social media to gather information about suspects in criminal investigations.\n        For example, ICE officials used social media to research a suspect during a child\n        abuse investigation. Photos posted in the suspect\xe2\x80\x99s account revealed a license\n        plate number and address, which enabled ICE to make a quick arrest. ICE\n        officials told us that using social media for law enforcement purposes enables\n        ICE employees to obtain information that is not always available through other\n        means, such as law enforcement databases.\n\n\n26\n The DHS National Operations Center is in compliance with DHS privacy policies for the use of social\nmedia for monitoring and situational awareness.\n\n\nwww.oig.dhs.gov                                    13                                         OIG-13-115\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n           DHS component program offices also use social media for intelligence-gathering\n           activities to mitigate threats or formulate incident responses. For example, CBP\n           border patrol agents review publicly accessible information from social media\n           sites to gain awareness of potential situations at the border and to alert agents\n           of safety concerns. Similarly, the TSA Office of Intelligence gathers information\n           from several social media sites, including LinkedIn, YouTube, and others, to\n           mitigate threats to the transportation sector, formulate incident responses, and\n           meet situational awareness requirements.27\n\n           USSS officials told us that they are able to gain information through social media\n           to help prevent potential incidents. Specifically, USSS uses social media to\n           identify potential threats to protectees and protected events. For example, at\n           the Republican National Convention in August 2012, the USSS learned through\n           social media that a particular individual who had threatened to disrupt the event\n           was in the area and relayed relevant information about that individual to the\n           Protective Intelligence Coordination Center for further action.\n\n           Insufficient Guidance for Operational Use of Social Media\n\n           Although the Department has seen benefits from using social media to support\n           mission operations, some components did not have specific guidelines or\n           documented policies to ensure the proper use of these tools for situational\n           awareness, law enforcement, or intelligence activities.\n\n           Personnel using social media to support mission operations told us that there\n           was a need for additional policies or procedures that address the various\n           challenges and questions relating to the use of social media. Component level\n           procedures for employees who want to create new social media accounts for\n           official purposes, or who are using social media for surveillance and interaction\n           with individuals online, had not been developed. This has led to confusion as to\n           what legal, privacy, and information security boundaries exist when using social\n           media to perform operational tasks. For example, one program office used\n           social media sites to monitor the activities of benefit applicants to help detect\n           fraud. However, it was determined that the office did not have the proper\n           authority to use social media for undercover work, and the use of social media\n           was halted within the component.\n\n           Incidents of this nature led to the development of new departmental policies to\n           ensure that DHS employees are aware of how social media technologies may be\n           used for authorized activities. For example, in June 2012 the Department issued\n\n\n27\n     LinkedIn is a social networking website used for professional purposes.\n\n\nwww.oig.dhs.gov                                       14                           OIG-13-115\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n        Directive 110-01, which established a formal privacy policy specifically for the\n        operational use of social media to address access to and collection, use,\n        maintenance, retention, disclosure, deletion, and destruction of PII.28 The\n        Directive also solidified roles and responsibilities for the Chief Privacy Officer,\n        component heads, and component privacy officers, among others.\n\n        At the same time, the Privacy Office released Instruction 110-01-001, Privacy\n        Policy for Operational Use of Social Media, to provide guidance for implementing\n        Directive 110-01. The Instruction provides detailed definitions and Department-\n        wide responsibilities associated with operational use of social media. The\n        instruction also provides baseline \xe2\x80\x9crules of behavior\xe2\x80\x9d for the operational use of\n        social media, such as to use online screen names that indicate an official DHS\n        affiliation while performing official tasks. To implement Directive 110-01,\n        components were instructed to complete documents that specify the authority\n        and purpose for each category of operational use of social media. Components\n        were also instructed to establish their own rules of behavior to document\n        operational use of social media, including date, site(s) accessed, information\n        collected, and how that information was used. Components were instructed to\n        develop training for the operational use of social media as well. Components\n        were to provide this information to the Privacy Office for approval within 120\n        days from the release of the Directive. At the time of our audit, all seven\n        component offices were in the process of developing and submitting the\n        required documentation to the Privacy Office for approval. However, Privacy\n        Office officials stated that stronger enforcement mechanisms are needed to\n        ensure that components comply with this new Directive.\n\n        The DHS Office of Policy is drafting a Department-wide social media policy to\n        define how social media may be used. At the time of our audit, the policy was\n        undergoing internal review with departmental social media stakeholders. When\n        implemented, this policy will provide formal roles and responsibilities for the\n        Department\xe2\x80\x99s social media stakeholders and leaders as well as a framework for\n        official uses of social media to conduct communications, operations, intelligence\n        activities, and situational awareness.\n\n\n\n\n28\n  DHS Directive 110-01, Privacy Policy for Operational Use of Social Media, June 8, 2012, excludes certain\noperational uses of social media for public outreach, situational awareness, and authorized intelligence\nactivities.\n\n\nwww.oig.dhs.gov                                     15                                         OIG-13-115\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\n\nImprovements Are Needed For Centralized Oversight and Coordination\n\n           Although DHS components used social media to enhance information sharing\n           and mission operations, the Department did not have a complete inventory of\n           social media accounts, and some component employees had obtained access\n           outside of the exception authorization process. In addition, DHS did not have a\n           formal mechanism for sharing Department-wide best practices for using social\n           media platforms. As a result, Department stakeholders had not yet achieved an\n           understanding of how social media could be used more effectively to meet\n           mission needs.\n\n           Department-Wide Social Media Usage Is Not Understood\n\n           The Department could not fully account for how social media were being used.\n           OMB requires Federal agencies to create a list of the third-party websites being\n           used to communicate with the public.29 To comply with this requirement,\n           Department officials had attempted to establish a comprehensive inventory.\n           OPA had begun to compile a list of official social media websites being used for\n           communications and outreach in 2010. This list was organized according to\n           social media platforms and listed at least 60 DHS accounts used to communicate\n           with the public. However, at the time of our audit it was not clear how often this\n           list was updated or who was responsible for updating the list. Similarly, the DHS\n           Privacy Office developed a list of social media accounts for public outreach in\n           2010 as part of its privacy compliance process. The Privacy Office conducted its\n           most recent compliance review in early 2012, which resulted in an inventory of\n           32 social media networking websites used for official DHS communications and\n           outreach purposes.\n\n           However, the inventories prepared by OPA and the Privacy Office only listed\n           social media websites being used for public outreach purposes. The Department\n           could not produce a comprehensive, documented inventory for the operational\n           uses of social media and what information is being collected by operational\n           users. In August 2012 the DHS Privacy Office began an effort to identify and\n           document components\xe2\x80\x99 operational uses of social media, as required by\n           Instruction 110-01-001. As of November 2012, approximately 20 operational\n           uses of social media had been identified across the seven operational\n           components. However, these efforts were not completed at the time of our\n           audit.\n\n\n29\n     OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications, June 25, 2010.\n\n\nwww.oig.dhs.gov                                     16                                       OIG-13-115\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n       Attempts to gain awareness of social media use have been hampered by\n       employees who accessed websites outside of the standard process. Some DHS\n       employees stated that they were not aware of the process to gain access or did\n       not know where to go within the Department to request access to social media\n       websites. Some employees told us they use nonstandard equipment, such as\n       smart phones (e.g., iPhones), stand-alone personal computers, and home\n       personal computers to conduct social media activities. For example, employees\n       in one component office used their personal smart phones to gain access to\n       social media websites to perform job duties.\n\n       Similar challenges exist for DHS to manage social media accounts effectively as\n       they are established for new users or social media platforms. Although the DHS\n       OPA is responsible for approving new social media accounts, this process was\n       not always followed. Because most third-party social media sites require\n       minimal information to create an account, component offices with the means to\n       access these sites were able to proceed without obtaining authorization from\n       DHS OPA. For example, Twitter only requires a person to enter his/her name,\n       email address, and a password to create an account. DHS OPA officials told us\n       that occasionally, unauthorized accounts are discovered once they are already\n       active. OPA officials request that these accounts be removed. However,\n       unauthorized accounts are rarely discovered.\n\n       Better Coordination Is Needed To Share Social Media Practices\n\n       Although using social media has proven beneficial, DHS did not have a formal\n       mechanism to share best practices for using social media platforms. In 2010,\n       DHS OPA established the New Media Compliance Steering Committee to\n       increase coordination across headquarters and operating components; to ensure\n       that social media tools and initiatives complied with Federal laws, regulations,\n       and policies; and to apply standards consistently across the Department. The\n       committee included representatives from all stakeholder offices, including the\n       Office of General Counsel, Office for Civil Rights and Civil Liberties, Privacy Office,\n       OPA, CISO, and Office of Records Management. OPA officials told us that this\n       committee was effective in negotiating terms of service for new social media\n       accounts and in identifying areas for improvement, such as websites that could\n       be used to collect data to measure the success of the Department\xe2\x80\x99s social media\n       use. However, the New Media Compliance Steering Committee was no longer\n       operational at the time of our audit, and DHS had not established an alternative\n       mechanism to coordinate social media efforts.\n\n       Without a committee or formal process to share information, DHS personnel\n       cannot easily communicate or make decisions on how to use certain social media\n\n\nwww.oig.dhs.gov                              17                                    OIG-13-115\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\n       platforms. Consequently, components using social media must conduct their\n       own research when they want to try a new social media platform. DHS\n       personnel in one program office said that they had to research which tool would\n       be most effective to reach a community of practice for a system. These\n       personnel believed that they could have saved time if a working group were in\n       place to coordinate and exchange ideas. Sharing information between the\n       components, rather than having each office and component conduct research\n       separately, would increase efficiency.\n\n       In addition, without a centralized working group to share Department-wide best\n       practices and lessons learned, personnel cannot be sure whether they are using\n       the right social media tools or Web 2.0 technologies to their full capacity. Most\n       component personnel told us that they reach out informally to other\n       components with similar mission needs to learn about the different Web 2.0\n       technology options. However, most said that a formal working group would be\n       helpful to increase communications and coordination.\n\n       Until the Department improves centralized oversight and coordination of social\n       media use, stakeholders will not achieve a consolidated view of how the\n       Department is using social media to conduct outreach and to support mission\n       operations. Further, insufficient management oversight and coordination\n       impedes efforts to institute Department-wide policies, standards, and\n       procedures, leaving employees vulnerable to misuse of Internet technologies.\n       Likewise, without a consolidated view of social media use, stakeholders cannot\n       measure the effectiveness of various social media platforms to reach a wider\n       audience or achieve specific DHS mission goals. Finally, the Department cannot\n       fully assess the risks and challenges that components face when using certain\n       social media sites, making it difficult to identify corrective actions or put\n       improvement plans in place. Such actions would ensure that future social media\n       technology use is allowed in a more structured and disciplined manner to\n       support DHS\xe2\x80\x99 vast mission objectives.\n\n\n\n\nwww.oig.dhs.gov                            18                                  OIG-13-115\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n\n       Recommendations\n\n       We recommend that the\xe2\x80\x94\n\n           1.\t Office of Public Affairs, in coordination with the OCIO, communicate the\n               Department\xe2\x80\x99s process for gaining access to social media for employees\n               with an approved business need.\n\n           2.\t Office of Public Affairs, in coordination with the DHS Privacy Office,\n               develop and maintain a list of approved social media accounts and\n               owners throughout the Department.\n\n           3.\t Office of Policy complete the Department-wide social media policy to\n               provide legal, privacy, and information security guidelines for approved\n               uses of social media.\n\n           4.\t Privacy Office ensure that components develop and implement social\n               media policies, as needed.\n\n           5.\t Office of Public Affairs establish a forum for the Department and its\n               components to collaborate and make decisions on the use of social media\n               tools for public affairs purposes, and that the DHS Privacy Office, in\n               coordination with the Office of Operations Coordination and Planning,\n               establish a forum for the Department and its components to collaborate\n               and make decisions on the use of social media tools for operational\n               purposes.\n\n\n       Management Comments and OIG Analysis\n\n       We obtained written comments on a draft of this report from the Acting Chief\n       Privacy Officer for DHS. We have included a copy of the comments in their\n       entirety in appendix B.\n\n       In the comments, the Acting Chief Privacy Officer stated that the Department\n       has significant concerns regarding the accuracy of the report and the\n       recommendations as drafted. Specifically, the Acting Chief Privacy Officer stated\n       that the report mischaracterized the Department\xe2\x80\x99s Directive 110-01; did not\n       accurately represent the work done to implement the Directive; and portrayed a\n       lack of Department-wide guidance regarding the use of social media. The Acting\n       Chief Privacy Officer provided comments on specific areas within the report to\n\n\nwww.oig.dhs.gov                             19\t                                   OIG-13-115\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       address these concerns. We have reviewed the !cting \x12hief Privacy Officer\xe2\x80\x99s\n       comments, as well as technical comments submitted under separate cover, and\n       made changes to the report as appropriate. However, we disagree with issues\n       that the Acting Chief Privacy Officer raised in the response to our draft report.\n       The following is an evaluation of the issues raised, as outlined in the\n       Department\xe2\x80\x99s comments.\n\n       In the comments, the Acting Chief Privacy Officer had concerns with the \xe2\x80\x9cOIG\xe2\x80\x99s\n       characterization that components did not have adequate guidelines or policies to\n       prevent unauthorized or inappropriate uses of technologies by employees.\xe2\x80\x9d The\n       Acting Chief Privacy Officer stated that Directive 110-01 and its corresponding\n       Instruction 110-01-001 establish a privacy policy for the operational use of social\n       media for the Department. Although Directive 110-01 and Instruction 110-01-\n       001 provide such Department-wide policy, the requirements of the Directive had\n       not been fully implemented.\n\n       The !cting \x12hief Privacy Officer disagreed with the OIG\xe2\x80\x99s conclusion that\n       additional component level policies and procedures are needed. The Acting\n       Chief Privacy Officer stated that this conclusion minimizes the substantial\n       compliance efforts of DHS components since Directive 110-01 was issued. Our\n       conclusion is based on the fact that the full implementation of social media\n       policies and procedures is not complete. We would note that in his comments,\n       the Acting Chief Privacy Officer appears to support this conclusion when he\n       writes that the DHS Privacy Office had approved social media documentation for\n       \xe2\x80\x9cnearly all\xe2\x80\x9d components and that \xe2\x80\x9cnearly all\xe2\x80\x9d components have implemented\n       the new training required by the Directive. The term \xe2\x80\x9cnearly all\xe2\x80\x9d suggests to us\n       that more work is needed.\n\n       While Directive 110-01 and Instruction 110-01-001 provide a comprehensive\n       privacy policy for operational use of social media, it also requires all DHS\n       employees to obtain approval for each category of operational use of social\n       media and to complete privacy training. As stated in our report, we determined\n       that \xe2\x80\x9csome components did not have specific guidelines or documented\n       policies.\xe2\x80\x9d We also noted in the report that \xe2\x80\x9cat the time of our audit, all seven\n       component offices were in the process of developing and submitting the\n       required documentation to the Privacy Office.\xe2\x80\x9d\n\n       Finally, the Acting Chief Privacy Officer emphasized that the DHS Privacy Office\n       established standards, through Directive 110-01, for the use of social media that\n       incorporate privacy protections and transparency. Specifically, the DHS Privacy\n       Office published three Privacy Impact Assessments, as well as five Privacy\n       Compliance Reviews. The audit report recognizes these accomplishments by\n\n\nwww.oig.dhs.gov                            20                                   OIG-13-115\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       stating that \xe2\x80\x9cDHS has established guidelines to administer social media for public\n       outreach\xe2\x80\x9d and cites the two Privacy Impact !ssessments completed for public\n       outreach purposes. The report also recognizes the Privacy Impact Assessment\n       and Privacy Compliance Reviews completed for the DHS National Operations\n       Center.\n\n       Report Recommendations\n\n       In the comments provided, the Acting Chief Privacy Officer concurred with\n       Recommendations 1 and 3 and did not concur with Recommendations 2, 4, and\n       5.\n\n       In response to Recommendation 1, the Acting Chief Privacy Officer concurred\n       and stated that the Department has established a process for employees with an\n       approved business need to obtain access to social media. In response to the\n       recommendation, the DHS Office of Public Affairs, in coordination with the DHS\n       Chief Information Officer, will make the access process available on the DHS\n       Intranet. Further, component level processes for gaining access to social media\n       will be added to the DHS Intranet along with links to component Intranet sites.\n       Finally, the Office of Public Affairs will revise the social media page on the DHS\n       Intranet to reflect all recent updates and guidance for the appropriate use of\n       social media across the Department.\n\n       We recognize the plans and efforts made to increase Department-wide\n       communications of the process for gaining access to social media since our\n       review. We look forward to receiving an update which outlines how the social\n       media access process was communicated to all Department employees. OIG\n       considers this recommendation Open-Unresolved.\n\n       In response to Recommendation 2, the Acting Chief Privacy Officer did not\n       concur with our recommendation to develop and maintain a list of approved\n       social media accounts and owners throughout the Department on the basis that\n       a list for public affairs purposes already exists. Specifically, the Acting Chief\n       Privacy Officer stated that the Office of Public Affairs collects information about\n       each account during the application process for social media accounts. Although\n       the Office of Public Affairs has begun to compile a list of social media accounts\n       and websites used for outreach purposes, we determined that multiple\n       inventories had been established by separate offices, with no clear plan for when\n       or how the lists would be updated or maintained.\n\n       With regard to the operational use of social media, the Acting Chief Privacy\n       Officer stated that maintaining such an inventory would compromise security\n\n\nwww.oig.dhs.gov                            21                                   OIG-13-115\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       and investigative integrity. The Acting Chief Privacy Officer suggests that lists for\n       operational use of social media be maintained by business owners within each\n       component instead.\n\n       We do not agree with the Acting Chief Privacy Officer on this issue. As stated in\n       our report, we recommend the Department develop and maintain a list of\n       approved social media accounts and owners throughout the Department. Such a\n       list may be established by business owners at the component level, then\n       consolidated in a secure manner, as the Department determines appropriate.\n       The Department operates a wide-area network that is secure at the sensitive but\n       unclassified level, and it provides guidance and tools for components to protect\n       their respective databases. Until the Department gains a consolidated view of\n       social media use, it cannot measure the effectiveness of specific social media\n       platforms to reach a wider audience and achieve various DHS mission goals, or\n       ensure that security, privacy, and other risks are being fully addressed. OIG\n       considers this recommendation Open-Unresolved.\n\n       In response to Recommendation 3, the Acting Chief Privacy Officer concurred\n       with our recommendation to complete the Department-wide social media policy\n       to provide legal, privacy, and information security guidelines for approved uses\n       of social media, provided that the Department-wide social media Directive is\n       consistent with DHS privacy policies and guidance and other existing Department\n       policies. The Acting Chief Privacy Officer also mentioned that DHS 4300A\n       Sensitive Systems Handbook, Attachment X provides guidance regarding the use\n       of social media for public affairs purposes as well as required information\n       security guidelines for uses of social media. OIG considers this recommendation\n       Open-Unresolved.\n\n       In response to Recommendation 4, the Acting Chief Privacy Officer did not\n       concur with our recommendation to ensure that components develop and\n       implement social media policies, as needed. The Acting Chief Privacy Officer\n       stated that Directive 110-01 and Instruction 110-01-001 provide for\n       implementation for operational use of social media. Specifically,\n       implementation of the Instruction requires each component to complete\n       templates, along with specific rules of behavior and training of employees prior\n       to engaging in operational use of social media. The Acting Chief Privacy Officer\n       clarified in the comments that the DHS Privacy Office received 16 component\n       templates and approved 13 of those templates before our fieldwork ended in\n       November, 2012. According to the Acting Chief Privacy Officer, the remaining\n       three templates were approved in December 2012.\n\n\n\n\nwww.oig.dhs.gov                             22                                    OIG-13-115\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       The Acting Chief Privacy Officer stated that by the conclusion of fieldwork in\n       November, not all component templates had been reviewed or approved by the\n       Privacy Office. During our fieldwork, we determined that some component\n       employees using social media for operational purposes expressed a need for\n       more Departmental or component level guidance. Other component employees\n       with whom we spoke had concerns about the Directive, such as how social\n       media was being defined, or that it would impede operational tasks performed\n       with social media tools. Further, as the Acting Chief Privacy Officer stated in the\n       comments, implementation of Directive 110-01 and Instruction 110-01-001\n       includes training employees prior to engaging in operational use of social media.\n       However, many component employees with access to social media had not\n       heard of the training or had not yet seen the training provided by the Privacy\n       Office. None of the employees we spoke with had completed the training\n       required by the Directive.\n\n       In our report, we recognize the efforts by several components in responding to\n       the requirements of the Directive as well as in developing additional component\n       level policies for employees using social media. We also recognize the efforts of\n       the DHS Privacy Office for issuing the guidance and coordinating all compliance\n       documentation. The Acting Chief Privacy Officer stated that this\n       recommendation is unnecessary and creates redundant requirements for\n       components. We do not agree with the Acting Chief Privacy Officer. This\n       recommendation provides support to the Privacy Office in its efforts to compel\n       components to develop and implement component-specific social media\n       policies, as required by Directive 110-01. During our audit, DHS management\n       reported a need for additional enforcement procedures to ensure that\n       components comply with these policies. OIG considers this recommendation\n       Open-Unresolved.\n\n       In response to Recommendation 5, the Acting Chief Privacy Officer did not\n       concur with our recommendation to establish a forum for the Department and\n       its components to collaborate and make decisions on the use of social media\n       tools. Specifically, the Acting Chief Privacy Officer stated that the seven\n       operational components have vast and diverse responsibilities, priorities, and\n       missions, making it difficult to expect component social media will be the same.\n       We understand there are different uses of social media across the Department.\n       The three categories mentioned in the !cting \x12hief Privacy Officer\xe2\x80\x99s comments\n       (communications and outreach, operational use, and situational awareness)\n       were described in the Background section and throughout our report.\n\n       Although the Acting Chief Privacy Officer did not concur with this\n       recommendation, in the comments, he provides evidence of DHS\xe2\x80\x99 commitment\n\n\nwww.oig.dhs.gov                            23                                   OIG-13-115\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       to furthering collaboration for each use of social media. For example, the Acting\n       Chief Privacy Officer states in his comments that the Office of Public Affairs will\n       continue to work across the components to allow for the sharing of best\n       practices on the use of social media in public affairs. The Acting Chief Privacy\n       Officer also mentions multiple interactions between Headquarters and individual\n       components, as well as existing component level working groups and\n       information sharing methods already in place.\n\n       Further, contrary to the !cting \x12hief Privacy Officer\xe2\x80\x99s objection to this\n       recommendation, we determined there is support for such a working group.\n       Headquarters and component officials told us that a working group on social\n       media would be helpful. Additionally, officials told us that a Department-wide\n       working group had existed in the past, but disbanded when organizational\n       changes took place in the Office of Public Affairs. Employees we spoke with said\n       that the working group was beneficial as a method for sharing best practices on\n       the use of social media. Such a forum would enable components and\n       Headquarters staff to collaborate and enhance social media communication\n       across DHS. OIG considers this recommendation Open-Unresolved.\n\n\n\n\nwww.oig.dhs.gov                            24                                   OIG-13-115\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n\nAppendix A\nObjectives, Scope, and Methodology\nThe DHS Office of Inspector General (OIG) was established by the Homeland Security Act\nof 2002 (Public Law 107-296) by amendment to the Inspector General Act of 1978. This\nis one of a series of audit, inspection, and special reports prepared as part of our\noversight responsibilities to promote economy, efficiency, and effectiveness within the\nDepartment.\n\nAs part of our ongoing responsibilities to assess the efficiency, effectiveness, and\neconomy of departmental programs and operations, we conducted this audit to\ndetermine the effectiveness of DHS\xe2\x80\x99 and its components\xe2\x80\x99 use of Web 2.0 technologies to\nfacilitate information sharing and enhance mission operations.\n\nWe researched and reviewed Federal laws and executive guidance related to the use of\nWeb 2.0 technologies. We obtained published reports, documents, and news articles\nregarding the use of social media by the Federal Government, OMB, and DHS in\nparticular. Additionally, we reviewed recent Government Accountability Office (GAO)\nreports to identify prior findings and recommendations regarding DHS\xe2\x80\x99 use of Web 2.0\ntechnologies. We used this information to establish a data collection approach that\nconsisted of focused interviews and documentation analysis to accomplish our audit\nobjectives.\n\nWe held interviews primarily at DHS headquarters. We interviewed more than 15 DHS\nheadquarters officials from the OCIO, OPA, the Office of Operations Coordination and\nPlanning, the DHS Office of Policy, and the DHS Privacy Office to discuss their roles and\nresponsibilities with regard to Web 2.0 technologies, the Department\xe2\x80\x99s use of social\nmedia, and the policies in place. We discussed security concerns and access controls\nand processes with the OCIO and OCISO. We met with OPA to learn more about using\nsocial media websites for communication and outreach. We discussed the use of social\nmedia for situational awareness purposes with the Office of Operations Coordination\nand Planning. We met with the DHS Office of Policy to learn about upcoming social\nmedia policies. To discuss privacy concerns and new privacy policies regarding the use\nof social media, we met with the DHS Privacy Office. We collected supporting\ndocuments about DHS\xe2\x80\x99 use of social media, Department-wide social media policies and\nprocedures, information on DHS social media committees, and privacy documentation\ncovering the current uses of social media by DHS operational components.\n\nTo assess the effectiveness of the Department\xe2\x80\x99s use of social media, we interviewed\nmore than 25 officials from DHS\xe2\x80\x99 seven operational components\xe2\x80\x94CBP, FEMA, ICE, TSA,\n\n\nwww.oig.dhs.gov                            25                                   OIG-13-115\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nUSCIS, USCG, and USSS\xe2\x80\x94to learn how social media were being used, the policies\ncurrently in place, and the accessibility of third-party social media websites. We met\nwith officials charged with overseeing and using social media at each of the seven\ncomponents, including public affairs offices at six of the components, five component\nprivacy offices, and officials at the OCISO at five components. Major component level\nCounsel Offices were also interviewed during the audit. Additionally, we met with\ncomponent officials using social media for outreach, situational awareness,\ninvestigations, and intelligence purposes to learn more about the benefits and\nchallenges of using Web 2.0 technologies.\n\nWe conducted audit field work from August to November 2012 at DHS Headquarters\nand operational component headquarters in Washington, D.C. We conducted this\nperformance audit pursuant to the Inspector General Act of 1978, as amended, and\naccording to the generally accepted government auditing standards. These standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based upon our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions, based upon our audit objectives. The principal OIG points of\ncontact for this audit are Frank Deffer, Assistant Inspector General for Information\nTechnology Audits, and Richard Harsche, Director of Information Management.\nAppendix C identifies major OIG contributors to the audit.\n\n\n\n\nwww.oig.dhs.gov                            26                                  OIG-13-115\n\x0c                  11        .\n                            .\n                                 OFFICE OF INSPECTOR GENERAL\n                                       Department of Homeland Security\n\n\nAppendix B\nManagement Comments to the Draft Report\n\n                                                                                              Pri,acyOnlce\n                                                                                              t-~- l)~p\xe2\x80\xa2 r1m ~nl o r llom ebo nd\n                                                                                               tturit)\n                                                                                              Woshington, DC 205 28\n\n\n\n\n                                                                                             Homeland\n                                                                                             Security\n                                                            May 10. 201 3\n\n\n           MEMORANDUM FOR:                    Frank Dcffcr\n                                              Assistant Inspector General\n                                              Office of Information Technology Audits\n\n           FROM:                              Jonathan R. Cantor       ~\n                                                                  \xc2\xb7 J. . f.C.ll -                 ~. ~\n                                              Acting Chief Pri~cy-e~ ----\n\n           SUBJ ECT:                          Response to Office of Inspector General Draft Report: DHS Uses\n                                              Social Media To Enhance Information Sharing and Mission\n                                              Operations, But Additional Oversight and Guidance Are Needed -\n                                              For Official Use Only (0/G Project No. 12-029-/TA-MGMT)\n\n           Thank you fo r the opportunity to review and provide comments on the subject Draft Report.\n           which includes observations and recommendations related to Department of!Jomcland\n           Security\'s (DHS or Department) use of social media fo r a variety of purposes. We appreciate the\n           Office of inspector General\' s (OIG) work in planning and conducting its review and issuing this\n           report. The Department has significan t concerns regarding the accuracy of the subject report and\n           Office oflnspector General\'s (OIG) recommendations as drafted .\n\n           Following a Privacy Office investigation into a Component\'s operational use of social media in a\n           manner inconsistent with OilS pri vacy policy. the Privacy Office developed a draft Department-\n           wide policy for operational use of social media. The Department subsequently issued this policy\n           as Directi ve 1 10-01, Privacy Policy for Operational Use ofSocial Media (June 8, 2012). The\n           Directive is in fuJI effect across the Department. Per this Directive, the DHS Privacy Office is\n           the lead on privacy policy for operational use of social media at the Deparunent.\n\n           The Draft Report (I) mischaracterizcs the breadth and applica bility of Directive I I 0-01; (2) fails\n           to accurately portray the work done to implement the Directive 1; and (3) despite the existence of\n           the Directive, maintains the inaccurate position that there is a lack of Department-wide guidance\n           regarding the operational use of social media 2\n\n\n\n\n           \' See specifically Reco mmendation 4: " Ensure that components develop and implement social media policies. as\n           needed.\'\'\n           2\n            See specifically \xc2\xb7\'Recommendation 3: \xc2\xb7\xc2\xb7complete the department-wide social media policy to provide legal.\n           privacy, and information security guidelines for approved uses of social media."\n\n\n\n\nwww.oig.dhs.gov                                              27                                                             OIG-13-115\n\x0c                  n             OFFICE OF INSPECTOR GENERAL\n                  ~                  Department of Homeland Security\n\n\n\n\n   The l\'rivacy Office strongly disagrees with the OJG\'s characterization that "[c)omponents did\n   not have adeq uate guidelines or policies to prevent unauthorized or inappropriate uses of\n   technologies by employees" (Draft Report, page 12). Directive II 0-0l and its corresponding\n   Instruction I I0-0 1-001 establ ish the privacy policy for operational use of social media by the\n   Department. Employing the authorities of the Chief Privacy Officer, Component privacy\n   officers, the Office of the General Counsel, and the Chieflnformatlon Officer. Directive 110-01\n   and its accompanying Instruction lay out a comprehens ive framework for the protection of\n   personall y identifiable information (PJ I) when using social media and appropriate use of social\n   media by Department personnel for operational purposes. including fo r situational awareness and\n   law enforcement The Instruction requires all DHS employees to comply with the Directive.\n   privacy policies and procedures of the Chief Privacy Officer and applicable Component pol icies\n   on the operational use of social media. and to protect PIJ fro m unauthorized use or disclosure.\n\n   The Privacy Office disagrees with the OIG\' conclusion that while \' \xc2\xb7[r)ecent eJTorts to establish\n   privacy guidelines fo r operational uses of social med ia are progressi ng ... additional\n   component-level policies and procedures arc needed\'" (Draft Report, page 12). This co nclusion\n   minimizes the ubstantial compliance efforts ofDHS Components in the ten months since DHS\n   issued Directive 110-01. The Privacy Office has received and approved Social Media\n   Operational Use Templates ("Templates") and Rules of Behavior, as required by Directive 110-\n   0 I , for nearly all Components whose personnel engage in the use of social media for operational\n   purposes. With the e xception of the U.S. Secret Service, which was granted an extension of the\n   implementation deadline due to the Presidential election and Inauguration activities, nearly all\n   operational Components have developed and implemented new training, as required by Di recti ve\n    II 0-0 I. The U.S. Secret Service has subsequently completed training of their pers01mel. The\n   DI IS Privacy Office continues to work with Components to comply with the Directive and\n   implement Component-wide policies.\n\n    The DHS Privacy Office established and enforces standards for the usc of social media that\n    incorporate privacy protections and arc tran parent. Directive II 0-01 provides standards fo r\n    Components to use social media fo r operational purposes while incorporat ing privacy\n    protections. In addition, the DHS Pri vacy Office approved and published three Privacy Impact\n    As e sments (PIA) on how the Department uses social media: two for the use of social media fo r\n    communications and outreach purposes and one for the use of social media for si tuational\n    awareness by th e National Operations Center (NOC). The DHS Privacy Office has conducted\n    five Privacy Compliance Reviews (PCR) as follow-ups to the OC PLA; all five PCRs\n    concluded that t he OC\'s use of social med ia was appropriate. Although the Department has\n    been transparent regarding its usc of social media, rn ispcrceptions still exist. Issuing a report that\n    implies the Department\'s use o f social media is not within regulatory or policy limits would pose\n    significant potential harm to the Department\'s ability to conduct current and future operations.\n\n\n\n\n                                                                                                         2\n\n\n\n\nwww.oig.dhs.gov                                        28                                              OIG-13-115\n\x0c                           .\n\n                  \xe2\x80\xa2       .\n                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n\n\n       Department Response to Recommendations\n\n       T he Department previously provided techn ical comments and corrections of factual errors to the\n       OfG under separate cover. 0 10 recommends that the Deputy Under Secretary for Management\n       work with the Office of Public Affai rs, Office of Policy, Privacy Office, and Office of the CIO\n       to:\n\n       Recommendation I: Comm unicate Lhe department \'s process for gai ning access to social media\n       fo r employees with an approved business need.\n\n       Response: C oncur. The Department already has an established process for gaini ng access to\n       social media through the Secure Internet Gateway (SlG). DHS employees with an approved\n       business need can obtain a SIG request form by contacting DHS IT Support.\n\n       The Office of Public Affairs (OPA), in coordination with the Chief Information Officer (OCJO),\n       will make avai lable o n the DHS Intrane t al l applicable detai ls of the SIG process for gaining\n       access to social med ia sites for employees w ith an approved busi ness need. OPA recommends\n       that ComponentS provide input on how t heir emp loyees can appl y for access, which will be\n       incl uded on the DHS Intranet. Additionally, OPA encourages Component internal\n       communicators to post links to the social media Intranet page on thei r respect ive Intranet sites,\n       along w ith Co mponent-specific information related to social media usc. For example, the U.S.\n       Secret Service developed a "Social Media" section on its Intranet, posting all relevant policies\n       and directives governing the use of social media by USSS employees for operational and non-\n       operati onal purposes.\n\n       To better com municate with employees regarding the appropriate use of social media and\n       address this recommendation across the Departme nt, OPA will revise the current social media\n       page on the DHS Intranet to reflect any and all recent updates and include additional information\n       and guidance, as well as relevant policy documentation. This page currently describes the use of\n       social media across the Department, and details the application process for Components,\n       programs, and offices that want to establish an official social media presence for public affairs\n       purposes. The c urrent Intranet page also houses the list of social media accounts util ized for\n       public affairs purposes. Estimated Completion Date (ECD) : October I, 20 13\n\n       Rccommendntion 2: Develop and ma intain a list of approved social media accounts and owners\n       throughout the Department.\n\n       Response: Non-Concu r. A list of approved social media accounts for public affairs purposes\n       a lready exists. Information about those who maintai n an account for public aflairs purposes\n       exists for internal use only. OPA collects this information, including information about the\n       account ho lder, the account password. and the intended use of the account, during the application\n       proce s as part o f its responsibility to oversee social media activity by Department public affairs\n       personnel.\n\n       For other purposes, maintaining su ch informat ion in a Department-wide list compromises\n       security and investigative integrity, leading to the potential for a breach of the information.\n\n\n                                                                                                             3\n\n\n\n\nwww.oig.dhs.gov                                       29                                             OIG-13-115\n\x0c                  11      .\n                          .\n                              OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n\n\n       In lead, list will be mai ntained by business owners. for example, CBP\'s draft Directi ve for\n       operational use of social media requires the business owner of the system through which social\n       media access occurs to maintain an accounting of approved users and purposes.\n\n       Further. the Draft Report references Office of Management and Budget Guidance for Agency\n       Use ofThird-Parry Webs ires and Applications (OMB M-10-23). June 25, 20 10; however. the\n       guidance does not require Departments to maintain an inventory of operational users of social\n       media. lnfom1ation about these accounts. which could include accounts for law enforcement\n       purposes, and their imcnded use , must be distributed only to those with a need to know and not\n       be compiled in a single, Department-wide list.\n\n       Recommendation 3 : Complete the Department-wide social media policy to provide legal,\n       privacy, and infonnation security guidelines for approved uses of social media.\n\n       Response: Concur. l11e Department concurs with this recommendation, provided that the\n       Department-wide social media Directive is consistent with DHS privacy polic ies and g uidance,\n       Directive 110-0 1, and other existi ng Department policies. The Department will develop social\n       media guidance to address the Department\'s many growing uses of social media to build on and\n       e nhance ex isti ng policies. It is important to note that Atlachment X of DHS 4300A provides\n       clear and succinct guidance to leverage regarding the use of social media for public affairs\n       purposes, a nd required information security guidelines for approved uses of social media. EC D:\n       December 20 13\n\n       Recommendation 4: Ensure that components develop and implement social media policies, as\n       needed.\n\n       Respo nse: Non-Concur. Di rective 110-01 and its accompanying Instruction provide for\n       implementation for categories of operational use of social media. Implementation of the\n       Instruction includes the completion of Templates, along with Component-specific Rules of\n       Behavior, and Component-based training of employees prior to engaging in the operational use\n       of social media. Templates document the current or proposed category of operational use of\n       social media; identify the appropriate authorities for the category of use; describe what Pll, if\n       any, is collected (and from whom); and describe how the information is used . After ini tial\n       Templates are approved, if Components determine to engage in, or contract for, new or modified\n       categories of operational use o f social media, the Instruction requires them to complete a new\n       Template that includes Rules of Behavior and provides for any necessary train ing before the new\n       category of use can be approved. The DHS Privacy Office reviews approved Templates every\n       three years for accuracy.\n\n       Templates and draft Rules of Behavior for existi ng categories of operational use of social med ia\n       were due to the DHS Privacy Office by October 12, 2012. Prior to the submission deadline, the\n       DHS Privacy Office received sixteen completed Templates for review from Components. Of the\n       sixteen completed Templates, thirteen were approved by the DHS Privacy Office by November\n       7, 2012, and provided to the Office of Inspector General as part of its fieldwork for this Draft\n       Report, to demon Irate Component compliance with Directive 11 0-01. The remaining three\n       Templates were approved by the DHS Privacy Office in December 20 12.\n\n\n                                                                                                         4\n\n\n\n\nwww.oig.dhs.gov                                      30                                            OIG-13-115\n\x0c                  11        .\n                            .\n                                OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n  Directive I I 0-0 I and its accompanying Instruction require Component Privacy Officers and\n  Privacy Points of Contact to tailor privacy training for the operational use of social media based\n  on Component- pccific needs. The Oi lS Privacy Office provided a baseline training slide deck\n  to the Components on July 23, 20 12, fo r further tailoring by Components based on the category\n  of operational use o f social media. The Instruction requires Components to complete employee\n  training by o ember 26, 2012. The DHS Chief Privacy Officer granted an extension of this\n  deadline to the U .S. Secret Service due to the Presidential election and Inauguration and required\n  U.S. Secret Service to complete its trdining by March I , 2013. On February 6, 20 13, the U.S.\n  Secret Service Privacy Office sent an official message to Assistant Directors of several U.S.\n  Secret Service directorates requiring employees whose posi tions may require the use of social\n  media for operational purpo es to complete mandatory privacy train ing on the operational use of\n  social media.\n\n  Components have been developing social media policies and corrununicating requirements to\n  their employees to adhere to Di rective 110-01 since the Directive became effective and even\n  before. For example, prior to the issuance of Di rective II 0-0 I, the U.S. Secret Service\n  developed several internal directives governing the management of content on social media sites,\n  standards of conduct for employees using social media, standards for usc of social media for\n  unofficial purposes, and provided guidance on privacy and mitigation issues concerning the use\n  of social media on government equipment. In October 2012, the U.S. ecret Service Privacy\n  Office sent an official message to all employees and supervisors notifying them of the newly-\n  developed U.S. Secret Service privacy policy, wh ich established Rules of Behavior governing\n  the use of social media for law enforcement and non-law enforcement purposes.\n\n  The U.S. Coast Guard and U.S. Immigration and Customs Enforcement (ICE) circulated\n  memoranda to their respective personnel detailing Rules o f Behavior and responsibilities for\n  using social media for operational purposes prior to granting access to the social media after\n  Directive 110-0 1 was issued. In response to Directive 110-0 I. Lhe U.S. Customs and Border\n  Protection (CBP) Privacy Office drafted an internal Directive for Operational Use of Social\n  Media memorializing the process for establishing Rules of Behavior, the method for gaining\n  access to social media and the responsi ble parties, and the different levels of operational use of\n  social media within CBP.\n\n  The DHS Pri vacy Office continues to receive Templates from Components as additional\n  operational uses of social media are identified. To date, the OilS Privacy Office has approved\n  three additional Templates for categories o f operational use of social media.\n\n  Given that the Chief Privacy Officer approves Component-specific Templates and Rules of\n  Behavior. and given appropriate train ing for the operational use o f social media and the ongoing\n  work done by Component Privacy Officers and Privacy Points of Contact to comply with\n  Directive I I 0-0 I, this recommendation is unneces ary and creates redundant requirements for\n  Component.\n\n\n\n\n                                                                                                        5\n\n\n\n\nwww.oig.dhs.gov                                        31                                               OIG-13-115\n\x0c                  11         .\n                             .\n                                 OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\n R ecommenda tion 5 : Establish a forum for the Department and its components to colla borate\n and make decisions on the use of social media tools.\n\n Response: Non-Concur . DHS\' seven operational Components, w hile serving the DHS mi ssion\n at large, have va t and diverse responsibilitie , priorities, and missio ns. For this reason, it is\n difficult to put seven operational Components under the same umbrella for the use of" Web 2.0"\n technology and to expect that Component uses will be the same across the board. The audit\n attempted to summarize all of the work o f Headquarters and operational Components, which\n includes several law enforcement Components. a d isaster recovery Component, and the\n Component that administers citizenship, into generic "DHS\' work.\'\' As social media are used at\n OHS for three very distinct purposes- public affairs. situational awareness, and operational\n use- a generic forum for a ll social media practitioners fails to recognize the very different\n missions, needs. and operations ofDHS\' diverse Components and missions.\n\n Regarding lhe ituational awareness and operational uses o f ocial media at the Department, this\n report acknowledges that there is not currently a formalized structure for discussions on the use\n of social media. Useful, educationaL and informal communication does take place among\n operational users of social media at the Department, however, the Department remains\n committed to furthering such collaboration.\n\n C reating a formal entity for social media public affairs practitioners to collaborate may promote\n consistent messaging and current best practices. Due to the Department\'s diverse and wide-\n ranging mission. however. as well as the ever-changing nature of social media, such an entity\n needs to be dynamic and not limited to in-person communication.\n\n As the DHS mission is so diverse. it is logical for public affairs professionals to work together to\n ensure a "One DHS\'\' message. ln fact. public affairs employees from around Headquarters and\n across the operational and support Components constantly work together on both internal and\n external products, includi.ng social media.\n\n Add itionally, OPA will continue to work across Components to a llow for the sharing of best\n practices on the use of social med ia in public affai rs. Forums for collaboration on social media\n already exist, both internally and government-wide, and the Department wi ll continue to seek\n new opportunities to network and collaborate on best practices.\n\n As an example, DHS Headquarters public affairs works with cow1terparts at the following\n Components, among others:\n     \xe2\x80\xa2 ICE, to inform the public about successful Homeland Security Investigations on social\n        media channels.\n     \xe2\x80\xa2 Federal Emergency Management Agency (FEMA) Headquarters, as well as staff in its 1 0\n        regions nationwide, to provide preparedness messaging to the publ ic.\n     \xe2\x80\xa2 U.S. Secret Service, to communicate infonnation about upcoming National Security\n        Special Events.\n\n Many DHS Components are already util izing forum , both fonnal and informal, to collaborate.\n For example, FEMA Headquarters utilizes the SharePoin t tool to collaborate with its digital\n\n                                                                                                       6\n\n\n\n\nwww.oig.dhs.gov                                          32                                                OIG-13-115\n\x0c                  11      .\n                          .\n                              OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\ncommunications staff located throughout the country in the FEMA Regional Offices, increasing\neffi ciency, information sharing, and coordination. U.S. Citi zenship and Immigration ervices\nestablished a Social Media Working Group in May 2012 to develop component-wide policies\nrelated to operational use of social media and compliance with Directive 110-01, as well as to\naddress evolving policy and issues related to social media use. The CBP Privacy Office\' s\nmonthly compliance meetings with privacy liaisons and the CBP draft Directive on operational\nuse of social media provide a framework for addressing component requirements and uses\nrelated to social media\n\nFurthermore. formalized tools for social media public affairs professionals currently exist, and\nare available to DHS employees at no cost. The General Services Administration (GSA) Center\nfor Excellence in Digital Government \xc2\xb7\'provides government-wide support and solutions that\nhelp agencies deli ve r excellent customer service to the public via web, social media, mobile,\nphone, email, print, and newly evolving media. These solutions include training via DigitalGov\nUn iversity; standards and best practices via Ilow fo.gov; support to inter-agency communities of\npractice such as the Federal Web \\1anagcrs Council; access to cost-cutting tools and technology:\nand research and ana lytics o n citizen needs and expectations for better service. In addition, the\nCenter is an accelerator and incubator for government-wide new media and citizen engagement\nsolutions, making it easier for the government and the public to constructively engage via tools\nsuch as Challenge.gov." Additionally, the GSA-sponso red Social Media Community of Practice\n(SM-COP) is a collaborative forum for practitioners from across the government to share\nthoughts and ideas.\n\n\nT hank you for the opportunity to review and comment on this draft report. Please feel free to\ncontact me if you have any questions. We look forward to working with you in the future.\n\n\n\n\n                                                                                                  7\n\n\n\n\nwww.oig.dhs.gov                                     33                                           OIG-13-115\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nAppendix C\nMajor Contributors to This Report\nRichard Harsche, Division Director\nKristen Bernard, Audit Manager\nCraig Adelman, Auditor-in-Charge\nThea Calder, Auditor\nBeverly Dale, Referencer\nDavid Bunning, Referencer\n\n\n\n\nwww.oig.dhs.gov                          34                    OIG-13-115\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\nAppendix D\nReport Distribution\nDepartment of Homeland Security\nSecretary\nDeputy Secretary\nChief of Staff\nDeputy Chief of Staff\nGeneral Counsel\nExecutive Secretary\nDirector, GAO/OIG Liaison Office\nAssistant Secretary for Office of Policy\nAssistant Secretary for Office of Public Affairs\nAssistant Secretary for Office of Legislative Affairs\nDHS Chief Information Officer\nDHS Chief Information Security Officer\nDirector, Office of Operations Coordination and Planning\nActing Chief Privacy Officer\nCBP, Commissioner\nFEMA, Administrator\nICE, Director\nTSA, Administrator\nUSCG, Admiral\nUSCIS, Director\nUSSS, Director\nDHS OCIO Liaison\nCBP Liaison\nFEMA Liaison\nICE Liaison\nTSA Liaison\nUSCG Liaison\nUSCIS Liaison\nUSSS Liaison\n\nOffice of Management and Budget\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\nCongressional Oversight and Appropriations Committees, as appropriate\n\n\n\nwww.oig.dhs.gov                           35                            OIG-13-115\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto:\n\n       Department of Homeland Security \n\n       Office of Inspector General, Mail Stop 0305 \n\n       Attention: Office of Investigations Hotline \n\n       245 Murray Drive, SW \n\n       Washington, DC 20528-0305 \n\n\nYou may also call 1(800) 323-8603 or fax the complaint directly to us at\n(202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'